CNTRLPLANE-1750: Add FeatureGate: ConfigurablePKI

[sanchezl]

Add ConfigurablePKI feature gate.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[openshift-ci]

Hello @sanchezl! Some important instructions when contributing to openshift/api:
API design plays an important part in the user experience of OpenShift and as such API PRs are subject to a high level of scrutiny to ensure they follow our best practices. If you haven't already done so, please review the OpenShift API Conventions and ensure that your proposed changes are compliant. Following these conventions will help expedite the api review process for your PR.

[openshift-ci-robot]

@sanchezl: This pull request references CNTRLPLANE-1750 which is a valid jira issue.

Details

In response to this:

Add ConfigurablePKI feature gate.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Walkthrough

Adds a new exported feature gate FeatureGateConfigurablePKI in features/features.go, updates features.md, and updates payload manifests to list ConfigurablePKI as disabled in Default/OKD manifests and enabled in DevPreviewNoUpgrade and TechPreviewNoUpgrade manifests for Hypershift and SelfManagedHA.

Changes

Cohort / File(s)	Summary
Feature declaration features/features.go	Adds exported FeatureGateConfigurablePKI = newFeatureGate("ConfigurablePKI") and registers it in the allFeatureGates block with the same chained metadata calls (reportProblemsToJiraComponent, contactPerson, productScope, enhancementPR, enableIn) and mustRegister().
Documentation features.md	Adds a new row for ConfigurablePKI in the features table.
Payload manifests — Default / OKD (disabled) payload-manifests/featuregates/featureGate-Hypershift-Default.yaml, payload-manifests/featuregates/featureGate-Hypershift-OKD.yaml, payload-manifests/featuregates/featureGate-SelfManagedHA-Default.yaml, payload-manifests/featuregates/featureGate-SelfManagedHA-OKD.yaml	Inserts { "name": "ConfigurablePKI" } into each manifest's status.featureGates[].disabled list.
Payload manifests — DevPreview/TechPreview (enabled) payload-manifests/featuregates/featureGate-Hypershift-DevPreviewNoUpgrade.yaml, payload-manifests/featuregates/featureGate-Hypershift-TechPreviewNoUpgrade.yaml, payload-manifests/featuregates/featureGate-SelfManagedHA-DevPreviewNoUpgrade.yaml, payload-manifests/featuregates/featureGate-SelfManagedHA-TechPreviewNoUpgrade.yaml	Inserts { "name": "ConfigurablePKI" } into each manifest's status.featureGates[].enabled list, positioned after ClusterVersionOperatorConfiguration (and before ConsolePluginContentSecurityPolicy where applicable).

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• Verify the registration chain and mustRegister() call in features/features.go (strings, PR URL, contact, enableIn settings).
• Confirm ConfigurablePKI is placed correctly in each manifest's enabled/disabled arrays and ordering matches intent.
• Check features.md row matches manifest settings.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between 6e5bfe8 and 5602f3e.

📒 Files selected for processing (10)

• features.md (1 hunks)
• features/features.go (1 hunks)
• payload-manifests/featuregates/featureGate-Hypershift-Default.yaml (1 hunks)
• payload-manifests/featuregates/featureGate-Hypershift-DevPreviewNoUpgrade.yaml (1 hunks)
• payload-manifests/featuregates/featureGate-Hypershift-OKD.yaml (1 hunks)
• payload-manifests/featuregates/featureGate-Hypershift-TechPreviewNoUpgrade.yaml (1 hunks)
• payload-manifests/featuregates/featureGate-SelfManagedHA-Default.yaml (1 hunks)
• payload-manifests/featuregates/featureGate-SelfManagedHA-DevPreviewNoUpgrade.yaml (1 hunks)
• payload-manifests/featuregates/featureGate-SelfManagedHA-OKD.yaml (1 hunks)
• payload-manifests/featuregates/featureGate-SelfManagedHA-TechPreviewNoUpgrade.yaml (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (2)

• payload-manifests/featuregates/featureGate-SelfManagedHA-TechPreviewNoUpgrade.yaml
• features.md

🧰 Additional context used

📓 Path-based instructions (1)

**

⚙️ CodeRabbit configuration file

-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

Files:

• payload-manifests/featuregates/featureGate-SelfManagedHA-OKD.yaml
• payload-manifests/featuregates/featureGate-Hypershift-DevPreviewNoUpgrade.yaml
• features/features.go
• payload-manifests/featuregates/featureGate-SelfManagedHA-Default.yaml
• payload-manifests/featuregates/featureGate-SelfManagedHA-DevPreviewNoUpgrade.yaml
• payload-manifests/featuregates/featureGate-Hypershift-OKD.yaml
• payload-manifests/featuregates/featureGate-Hypershift-Default.yaml
• payload-manifests/featuregates/featureGate-Hypershift-TechPreviewNoUpgrade.yaml

🧬 Code graph analysis (1)

features/features.go (1)

config/v1/types_feature.go (2)

• DevPreviewNoUpgrade (49-49)
• TechPreviewNoUpgrade (45-45)

🔇 Additional comments (8)

payload-manifests/featuregates/featureGate-Hypershift-OKD.yaml (1)

83-85: LGTM!

The addition of ConfigurablePKI to the disabled list is correctly placed alphabetically and follows the established pattern for feature gate entries.

payload-manifests/featuregates/featureGate-Hypershift-DevPreviewNoUpgrade.yaml (1)

136-138: LGTM!

The addition of ConfigurablePKI to the enabled list is correctly placed and aligns with the feature gate definition in features.go that enables it for DevPreviewNoUpgrade.

payload-manifests/featuregates/featureGate-Hypershift-TechPreviewNoUpgrade.yaml (1)

148-150: LGTM!

The addition of ConfigurablePKI to the enabled list is correctly positioned and consistent with the feature gate configuration.

payload-manifests/featuregates/featureGate-SelfManagedHA-OKD.yaml (1)

83-85: LGTM!

The addition of ConfigurablePKI to the disabled list is correctly placed alphabetically between ClusterVersionOperatorConfiguration and DNSNameResolver.

payload-manifests/featuregates/featureGate-SelfManagedHA-Default.yaml (1)

81-83: LGTM!

The addition of ConfigurablePKI to the disabled list is correctly positioned and follows the established pattern.

features/features.go (1)

933-939: LGTM!

The new feature gate definition follows the established pattern and is properly configured:

• Correctly enabled in DevPreviewNoUpgrade and TechPreviewNoUpgrade feature sets
• Proper metadata (Jira component, contact person, product scope)
• Enhancement PR link is valid (as confirmed in past review comments)
• Properly registered with mustRegister()

The configuration aligns with the manifest files, which correctly show ConfigurablePKI as enabled in DevPreview/TechPreview environments and disabled in Default/OKD environments.

payload-manifests/featuregates/featureGate-Hypershift-Default.yaml (1)

81-83: LGTM!

The addition of ConfigurablePKI to the disabled list is correctly placed and consistent with the Default feature set configuration.

payload-manifests/featuregates/featureGate-SelfManagedHA-DevPreviewNoUpgrade.yaml (1)

121-123: LGTM!

The addition of ConfigurablePKI to the enabled list is correctly placed alphabetically and aligns with the feature gate definition that enables it for DevPreviewNoUpgrade.

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.5.0)

Error: build linters: unable to load custom analyzer "kubeapilinter": tools/_output/bin/kube-api-linter.so, plugin: not implemented
The command is terminated due to an error: build linters: unable to load custom analyzer "kubeapilinter": tools/_output/bin/kube-api-linter.so, plugin: not implemented

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sanchezl]

/cc @sjenning
/cc @patrickdillon
/cc @sadasu
/cc @sjenning
/cc @hasbro17
/cc @dusk125
/cc @p0lyn0mial

Looking for a statement as a "soft approval" for openshift/enhancements#1882 so I can proceed with merging this new FeatureGate. The enhancement still needs some polishing. I am looking for including the feature in 4.22.

[everettraven]

@sanchezl The EP has been up for a bit now and looking back at it I saw it is associated with https://issues.redhat.com/browse/OCPSTRAT-2271 which implies it has already undergone a "yes we should do this" kind of analysis.

Apologies for the oversight here - not sure why I missed that when I first looked at the EP description.

If you could run PROTO_OPTIONAL=true make update to regenerate the necessary generated files, that should pass the currently failing verify check.

Once that is done, I can tag this PR for merging - thanks!

[sanchezl]

... run PROTO_OPTIONAL=true make update ...
@everettraven Done

[everettraven]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: everettraven

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [everettraven]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

Scheduling tests matching the pipeline_run_if_changed or not excluded by pipeline_skip_if_only_changed parameters:
/test e2e-aws-ovn
/test e2e-aws-ovn-hypershift
/test e2e-aws-ovn-hypershift-conformance
/test e2e-aws-ovn-techpreview
/test e2e-aws-serial-1of2
/test e2e-aws-serial-2of2
/test e2e-aws-serial-techpreview-1of2
/test e2e-aws-serial-techpreview-2of2
/test e2e-azure
/test e2e-gcp
/test e2e-upgrade
/test e2e-upgrade-out-of-change

[openshift-ci]

New changes are detected. LGTM label has been removed.

[openshift-ci]

@sanchezl: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-upgrade-out-of-change	6e5bfe8	link	true	/test e2e-upgrade-out-of-change
ci/prow/e2e-upgrade	6e5bfe8	link	true	/test e2e-upgrade
ci/prow/okd-scos-images	5602f3e	link	true	/test okd-scos-images
ci/prow/verify	5602f3e	link	true	/test verify

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.